Today, we discovered an unused URL on our site: /collections/vendors
This URL path exists on every Shopify site, and it can be a huge security hole.
This path takes a querystring parameter (q) and allows you to override content (titles and page details). As a “feature”, it allows you to create customized pages for partners and vendors. For a link hacker, it is a pathway to filling up Google with bad content under your website.
In the Shopify Admin, go to Online Store > Navigation and then use the View URL Redirects link at the top of the page. Redirect /collections/vendors to /404
Edit your theme.liquid file. Add the following in the section:
{%- if request.path == ‘/collections/vendors’ -%}
{%- endif -%}
Consider creating a custom robots.txt file. This is a bit more complicated. Basically, you go into the code of your theme and add a new template. Robots.txt should be one of the options. This will create a custom version in your code base. Once you have that, you can add:
Which should tell all search engines to ignore content within /collections/vendors
Consider editing your collections.liquid and theme.liquid to protect the element of the page and the body content of the page (typically anywhere where collection.title is used in the code).
Check to see if your website has already been a target. Go to Google and search for “site:yourstore.com/collections/vendors” (minus quotes)
If there are lots of bad URLs, taking the steps I’ve outlined above should help. You can also log into the Google Search Console and request immediate removal of all links that begin with https://yoursite.com/collections/vendors
Just make sure you do that last bit correctly or you’ll zap your whole site from Google (bad!)
My pleasure, Threed! There are soooo many Shopify customers impacted by this. The exploit has been around for a long time too. There is zero reason for this. Zero!
Thank you! I’ve got 3,070,000 results. Google SC has been giving me high fives for the massive increase in traffic from the far east so I knew something was wrong. I’ve done everything on your list… I was wondering how I go about no 5? Your instructions are pretty plain english and much appreciated!
For number #5, the first thing to note is that the q parameter overrides the title of the collection when the path is /collections/vendors. So, anywhere your theme uses something like collection.title you should wrap it with a conditional clause that looks for /collections/vendors and then does something else.
For my theme that meant a change to the main theme.liquid file and another in something called collection–header.liquid. My guess is that theme.liquid will apply to pretty much every site. The collection page itself though probably has a unique structure.
theme.liquid - Find your section. If you already have conditions there to display different text, you’ll want to expand it with an elsif statement like I did below:
{% if request.page_type == ‘index’ %}
{{ page_title }}
{% elsif request.path == '/collections/vendors' %}
Name of Your Site
{% else %}
{{ page_title }} | {{ shop.name }}
{% endif %}
For the collection page itself (collection–header.liquid in my case), I wrapped the use of collection.title with an if statement like this:
{%- if request.path != ‘/collections/vendors’ -%}{{ collection.title }}{% endif %}
If your site is the one I think it is (I did a quick google search), you will want to look for the template that has an h1 tag with the class of “collection-hero__title”.
I would also recommend just bringing up the /collections/vendors page with a q parameter that is easy to identify and then look at the resulting HTML code. For example, /collections/vendors?q=ARGHHHH Then when you view code, you can look for ARGHHHH and track down all the instances in your theme where it might appear and escape them out using the techniques above.
Shopify is completely ignoring this and they’re recommending “no action is the best action.” Do NOT do nothing about this - it will destroy your AS and heavily impact your rankings.
The robots.txt won’t be effective if the pages are already indexed, as it limits the google from crawling and finding these pages to ‘noindex’. Robots.txt is also a recommendation and Google will ignore it from time to time. Also, if you’re using vendors, you can enter the following code and it will ‘noindex’ /collections/vendors that have no products in them, past and future. Enter it in the section of your theme.liquid file - I put mine right about so it’s easy to find for future updates.
{%- if request.path == ‘/collections/vendors’ and collection.all_products_count == 0 -%}
{%- endif -%}
You can verify the code is effective in search console by ‘testing live URL’. It will take time for Google to recrawl these pages, but it should slowly remove these from being indexed and effecting your site.
Thank you for flagging this issue in the Community. We have raised the issue with our developers for further review. We do not have a timeline on the fix, however, I will provide an update once this has been resolved.
I would encourage you to view our top related threads on this issue that provide viable workarounds:
Our developers have recently shipped a change that will generate a 404 page if the vendor is unknown (based on query string). The change will block it from indexing on Google. These changes will only apply to vendor pages, but our teams will investigate whether other pages may be vulnerable to this abuse.
This change is rolling out platform wide as we speak, so it may take some time for you to see these changes implemented. However, moving forward, this should help mitigate the ability spammers have with taking advantage of the query print out to advertise their spam links.
That’s good news, Trevor. It would be really great if they just added an option in the admin to turn off the /collections/vendors page entirely since the scope is not one we can access. It was a huge surprise to find a page that was completely out of my control on the site. I’m sure other merchants are equally surprised when they find out.
Update: Looking at Google Search Console, I found that we jumped from around 2,000 pages indexed to over 6,185,166 in the space of a week at the end of December. Yes, that’s millions of fake pages created by this exploit…
4,655,957 pages are now blocked by the changed I made to robots.txt and 1,119,902 are crawled but not index (likely due to my block).
We have had this appear on our sites (google says in october)
Serps for valid pages apearing with google translation options, and then around a thousand of the vendor related urls..
at the moment if i click them from search console then they seem to go to a 404 page
is that considered fixed as the threads that have been recomended are full of many band aid fixes.
also now in search console as of the 18th we are getting urls containing [email removed]
there is a thread on this here
Shopify Bug - Web Pixels Manager Sandbox
My question is where is the best place to read a statement from shopify addressing these bugs ensuring shopify customers that they are being fixed and google search ranking etc should be not affected further ?
The web-pixels-manager bug is a new one on me. I only have a single entry now but I’ve gone ahead and blocked it in my robots.txt and in the search console as a precaution. Thanks for pointing that out!
If the other URLs on your site do go to true 404s then I would assume that the problem will resolve itself in the Google index over time.
I have reported/ discribed this issue weeks ago as I have discovered ten thousands of urls in GSC.
Shopify’s respond was useless, and I had no idea about the intention of this q param urls.
Hi, sorry I’ve just noticed this one too. Can you explain, how I do this please? This isn’t my forte and Shopify seems to have too many bugs atm. I was on like chat for over an hour re the collections/vendors thing. They said it was nothing to do with them and to hire an expert!
Try checking the links directly on your site. I just received a message this week from Shopify that says they are rolling out a fix to block these URLs across all sites. If this update has reached your site, you should get a page not found message when you try to visit one of the links. If that happens, Google will pull them out of the index in a week or two.
I heard from the Shopify dev team this week… A fix is going in now and will be rolling out to every site very soon. The fix will send all requests to the vendors page to a 404. This should clean up all spam links in Google within a couple weeks (once it hits your site).